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DETAILED ACTION 

1. Original application contained claims 1-21. Claims 1, 8 and 15 have been 
amended in an amendment filed on 12/13/2005. The amendment filed have been 
entered and made of record. Presently, pending claims are 1 - 21 . 

Response to Arguments 

2. Applicant's arguments with respect to instant claims have been fully considered 
but are moot in view of the new ground(s) of rejection. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

A person shall be entitled to a patent unless - 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

3. Claims 1 - 21 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Farley et al. (Publication Number: 2002/0078381), in view of Drake et al. (US Patent 
6347374). 
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As per claim 1 , 8 and 15, Drake teaches a method in a data processing system 
for reporting security situations, comprising the steps of: 

logging events by storing event attributes as an event set, wherein each event 
set includes a source attribute, a target attribute and an event category attribute (Farley, 
see example, Para [001 9] Line 1 - 3 and Para [001 9] Line 1 2 - 1 7: SRC / DEST / 
EVENT TYPE as the event attribute parameters); 

Farley teaches classifying and correlating the raw events (Farley, Para [0019] 
Line 1 - 3). However, Farley does not disclose expressly classifying events as groups 
by aggregating events with at least one attribute within the event set as an identical 
value. 

Drake teaches classifying events as groups by aggregating events with at least 
one attribute within the event set as an identical value (Drake, see example, Column 1 1 
Line 38 - 50 and Column 14 Line 18-21: Drake teaches aggregating the correlated 
raw events into event groups with at least one attribute within the event set as an 
identical value such as (a) same user ID, or (b) same group type as "authentication 
failure" to generate an alert of severity situations). 

calculating severity levels for the groups, wherein a severity level for a group is a 
function of a number of events comprising the group and values of common elements in 
the group (Drake, see example, Column 12 Line 29 - 30, Column 1 1 Line 38 - 50 and 
Column 14 Line 18 - 21 : the "authentication failure" is qualified to meet the severity 
level as an event caused by the failures of a user login). 
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reporting a group from the groups to a user as a situation, if a severity level of the 
group exceeds a threshold value (Drake, see example, Column 1 1 Line 38 - 50 and 
Column 14 Line 18-21: the "authentication failure" is qualified to meet the severity 
level as an event caused by the failures of a user login when the aggregating events 
exceed the predetermined number (i.e., threshold = 3) as taught by Drake). 

It would have been obvious to a person of ordinary skill in the art at the time the 
invention was made to combine the teaching of Drake within the system of Farley 
because (a) Farley teaches classifying and correlating raw events by providing a 
security management system in a networked computer system (Farley, Para [0019] Line 
1 - 3 and Para [0016]) and (b) Drake teaches improving network security by providing 
an effective event detecting systems (Drake, see example, Column 2 Line 4-8 and 
Column 3 Line 34 - 35). 

As per claim 2, 9 and 16, Farley as modified further teaches the severity levels 
are calculated based on at least one of the number of event sets within each of the 
groups, the source attribute of the event sets within each of the groups, the target 
attribute of the event sets within each of the groups, and the event category attribute of 
the event sets within each of the groups (Drake, see example, Column 1 1 Line 38 - 50 
and Column 14 Line 18 - 21 : Drake teaches aggregating the correlated raw events into 
event groups with at least one attribute within the event set as an identical value such 
as (a) same user ID, or (b) same group type as "authentication failure" to generate an 
alert of severity situations). 
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As per claim 3, 10 and 17, Farley as modified further teaches the events include 
at least one of a web server event, an electronic mail event, a Trojan horse, denial of 
service, a virus, a network event, an authentication failure, and an access violation 
(Farley: Para [0016] Line 1-10). 

As per claim 4, 1 1 and 18, Farley as modified further teaches calculating the 
threshold value based on at least one of the source attribute of the event sets within the 
group, the target attribute of the event sets within the group, the event category attribute 
in each event set of the group, and the number of attributes in each event set of the 
group that are held constant across all of the event sets in the group (Burrows: Para 
[0050] Line 3-9: the "broadcast storm" is qualified to meet the severity level as an 
event caused by the identical SRC and different DEST when the aggregating events 
exceed the predetermined number (i.e., threshold) as taught by Burrows). 

As per claim 5, 12 and 19, Farley as modified further teaches the target attribute 
represents one of a computer and a collection of computers (Farley, see example, Para 
[001 9] Line 1 - 3 and Para [001 9] Line 12-17: SRC / DEST / EVENT TYPE as the 
event attribute parameters). 

As per claim 6, 1 3 and 20, Farley as modified further teaches further teaches the 
source attribute represents one of a computer and a collection of computers (Farley, 
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see example, Para [0019] Line 1 - 3 and Para [0019] Line 12-17: SRC / DEST / 
EVENT TYPE as the event attribute parameters). 

As per claim 7, 14 and 21 , Farley as modified further teaches aggregating a 
subset of the groups into a combined group (Farley, see example, Para [0079] and 
[0080]; Burrows, see example, Para [0050] and Para [0046] Line 10-11). 



Conclusion 

Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 
§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 
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Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Longbit Chai whose telephone number is 571-272-3788. 
The examiner can normally be reached on Monday-Friday 8:00am-4:00pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz R. Sheikh can be reached on 571-272-3795. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 
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